page-153

4,2 Segmentation and Paging under Windows

0 and Ring 3) allowed protection to be implemented through paging. Once

again, we see that Windows isn't using all the bells and whistles afforded to it

by the Intel hardware.

Paging

In Windows, each process is assigned its own dedicated CR3 control regis¬

ter value. Recall that this register stores the 20-bit PFN of a page directory,

Hence, each process has its own page directory. The associated CR3 value

is stored in the DirectoryTableBase field of the process's KPROCESS structure,

which is itself a substructure of the process's EPROCESS structure. If this sen¬

tence just flew over your head, don't worry. For the time being, just accept the

fact that Windows has internal accounting structures that store the values that

we plug into CR3. When the Windows kernel perfornris a task switch, it loads

CR3 with the value belonging to the process that has been selected to run.

The following kernel-mode debugger extension command provides us with

the list of every active process.

kd> Iprocess 0 0

**** NT ACTIVE PROCESS DUMP ****

PROCESS 82b5ed90 Sessionid: none Cid: 0004 Peb: 00000000 ParentCid;0000

DirBase: 00122000 Objectlable: 868000b0 HandleCount: 355.

Image; System

PROCESS 8389C230 Sessionid: none C1d: 0170 Peb: 7ffd6000 ParentCid:0004

DirBase: 13f78000 Objectlable: 89435500 HandleCount: 28.

Image: smss.exe

PROCESS 83878928 SessTonId: 0 CTd; OlbO Peb: 7ffdfOOO ParentCId: 01a4

DirBase: 12338000 Objectlable: 8943b0f0 HandleCount: 421.

Image: csrss.exe

PROCESS 83275d90 Sessionid: 0 Cid: Oldc Peb: 7ffd7000 ParentCid: 0Ia4

DirBase: II57bOOO Objectlable: 8cedab48 HandleCount: 95.

Image: wininit.exe

The ! process command displays information about one or more processes.

The first argument is typically either a process ID or the hexadecimal address

of the EPROCESS block assigned to the process. If the first argument is zero, as

in the case above, then information on all active processes is generated. The

second argument specifies a 4-bit value that indicates how much informa¬

tion should be given (where 0x0 provides the least amount of detail and OxF

provides the most details).

Parti I 123